GPG(GnuPG)是一种使用混合加密技术(对称/非对称,对称加密提升加密速度,公钥加密用来保证key交换时的安全性)的应用。它的主要作用在于:
- 身份验证。对自己的工作签名,比如git提交,邮件等。
- 加密。对交流的过程进行加密保护,防止被别人窃取。
如果是用gpg工具来生成和发布key的话,流程是这样的:
生成key
~> gpg --gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Dec 23 16:20:33 2017 CST
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Rich Dickson
Email address: dickson.rich@richdick.com
Comment: richdick
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key. ##用密码保护master key
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..........+++++
........+++++
gpg: key C5071A6F marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2017-08-02
pub 2048R/C5071A6F 2016-12-23 [expires: 2017-12-23]
Key fingerprint = 1D98 85B1 7D28 942B A265 3BEA AFD0 0C00 C507 1A6F
uid Rich Dickson (richdick) <dickson.rich@richdick.com>
sub 2048R/DDAF894F 2016-12-23 [expires: 2017-12-23]
把这个key导出保存在一个安全的地方,比如保险柜 :)
~> gpg --export-secret-keys --armor "Rich Dickson (richdick) <dickson.rich@richdick.com>" > richdick-private-key.asc
把public key发布出去
公共的key server可以选hkp://keys.gnupg.net或者keybase.io. Keybase用起来比较方便,下面以它来举例:
brew install keybase
keybase login
keybase pgp select --multi
# Algo Key Id Created UserId
= ==== ====== ======= ======
2 2048R AFD00C00C5071A6F Rich Dickson <dickson.rich@richdick.com>
Choose a key: 2
▶ INFO Bundle unlocked: AFD00C00C5071A6F
▶ INFO Generated new PGP key:
▶ INFO user: Rich Dickson (richdick) <dickson.rich@richdick.com>
▶ INFO 2048-bit RSA key, ID AFD00C00C5071A6F, created 2016-12-23
▶ INFO Key AFD00C00C5071A6F imported
我有个朋友叫Logan,我在keybase上搜索下它:
~> keybase search logan
loganhan twitter:logan_han github:logan-han coinbase:loganhan dns://han.life
假设我现在需要给它传递一段加密信息,那么可以这样:
~> echo 'Merry Xmas, Logan!' > secrets.txt
~> keybase encrypt -i secrets.txt -o secrets.txt.asc loganhan
▶ INFO Identifying recipient loganhan
✔ <tracked> public key fingerprint: BFC6 69B1 861B 8A71 044A 70F1 5E6A 5830 E81F 7EA2
You last followed loganhan on 2016-08-03 10:09:33 CST
加密后的内容如下:
BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. kiQrUWZvE8pSlIf jYX6ZmEkk4Gba7a
....
3gZJb6yMWYBnlCU VCVZhPh2MvRiWne lhaaSZViJOXr407 Wt7NXT9RU6Mb96M 28XkWJMHHE60iwD ASc8SRp0HDuMCMg CXx6bMqIWf68ZfT yL19g5vgAGaQi8b yyY7tFMpJ5d5GJe eTa0ZP4AiI20Ez5 4eAZKoy9D4L3R77 ezDwAo5OscyQTUY voRvduVQoWhET3p w9eF13YSk2tajBq 7OuopZZOS1RjE9y sKnmYXLEvaiOKw0 . END KEYBASE SALTPACK ENCRYPTED MESSAGE.
我的同事如果收到这个加密后的文件的话,可以用下面的命令解密:
~> keybase decrypt -i secrets.txt.asc
Message authored by iambowen
Merry Xmas, Logan!
验证身份
我觉得如果希拉里的团队知道用邮件加密的功能,就不会被钓鱼,导致邮件泄密,最终败选。GPG可以用在多个地方去验证身份,比如Twitter、DNS、github等。以github为例,在个人的setting里面可以添加GPG的public key。
首先,导出GPG的public key,并在setting页面添加:
gpg --export --armor iambowen.m@gmail.com | pbcopy
本地配置git的signing key:
git config --global user.signingkey iambowen.m@gmail.com
提交的时候附加身份信息:
~> git commit -S
You need a passphrase to unlock the secret key for
user: "Bowen Ma (My GPG key) <iambowen.m@gmail.com>"
2048-bit RSA key, ID A02C6030, created 2016-06-21
[master 0a06550] Why: Testing commit with GPG
1 file changed, 1 insertion(+)
create mode 100644 README.md
在github检查这次提交
https://github.com/iambowen/microservices-training-lesson-8-security/commit/0a06550f2738b780544af839662fd9f6dfc506b4
可以看到提交者的身份已经被验证过了。
其实我个人使用GPG(或者keybase这个工具)去加密的场景很少,不过如果以后对于安全的要求加强,这个应该是可以用到的。
网友评论